A Passion for Security

Sometimes you have to find interesting files, then grep through those specific files dynamically. With Linux this is as easy as:

find . -name <file> -exec grep -i -H <match> {} \;

This will simply recursively look for files you want to find, e.g. *.txt, and for each file found, grep that file for whatever matching content you want to find. Additional interesting things to do with this is to grep with regex, or use the find command to further filter for specific types of files.

This is likely due to your DHCP settings are pushed out with a SearchDomain for <whatever>.local. Edit your /etc/resolv.conf and remove the line dictating the SearchDomain, and you should have a huge boost in speed!

Windows 10 Pro supports some features that are nice to have, especially if you like to take advantage of more features of your OS than the Home edition allows for.

Windows store changes my local account to an online account

The Window shop application requires you to sign in with your MSDN account. Once you’ve signed in and purchased the upgrade, your local Windows account is suddenly also converted to an MSDN account. This means, upon the next restart, you can’t log-on with your local accounts’ password anymore, you have to use your low security MSDN password. MSDN passwords are limited to 16 characters which I’ve blogged about earlier here: https://www.securesolutions.no/frustrations-with-microsoft-liveid-sign-on/

Is this a bug? Intended feature? I’ve got no idea.

Privacy settings reset

After the upgrade several of my privacy settings was suddenly reset. When I installed Windows Home a few days ago, I had all the privacy settings set to off, then all of the sudden, while updating my OS, the settings had reset into giving Microsoft my details:

Not only is this rude, it’s a major disrespect to the users who expect privacy. Now onto some minor nuisances.

How to upgrade?

Furthermore, once you’ve purchased the upgrade, there’s no automation in activating the upgrade for your PC. I had to turn to Google (not Bing) in order to figure out how to activate the purchase. I believe I did not miss any vital information in the upgrade process, nor did the confirmation emails from Microsoft give me any information on how to actually use the upgrade I had purchased.

In order to facilitate the upgrade I had to re-enter the store and seek to purchase the upgrade again. This time the purchase button had been conveniently been replaced with an “Upgrade” button. I can see how this is useful if you are purchasing from one machine, and installing on another, however please give some instructions on how to go about this.

The upgrade itself cost about 1300 NOK, or about 150USD, which I consider is rather expensive considering you already bought the OS, and this is just a feature upgrade.

Hopefully Microsoft will A) don’t force users onto their online platform and B) don’t rip users privacy expectations in shreds when we’ve actively taken a choice to not participate.

If you get email from someone claiming that your domain is about to be registered on Chinese and other Asian top-level-domains, don’t worry. This is very likely to be a scare tactic to get you to buy their domain for a high price. Ignore it, and move on.

Heres an example:

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent. If this email affects you, we are very sorry, please ignore this email. Thanks)

We are a Network Service Company which is the domain name registration center in China.
We received an application from Hualong Ltd on September 19, 2016. They want to register ” securesolutions” as their Internet Keyword and ” securesolutions.cn “、” securesolutions .com.cn ” 、” securesolutions.net.cn “、” securesolutions.org.cn ” 、” securesolutions .asia ” domain names, they are in China and Asia domain names. But after checking it, we find ” securesolutions ” conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Ever had to crack something, but you don’t know the cipher? Sometimes the encrypted text gives you clues on which encryption algorithm has been used, but not always. For those cases, it might be useful with the script I am talking about in this post.

Bruteforcing the cipher type might be the only way to get through your challenge. It will create somewhat large amounts of data, but we’ll look at ways we can make it easier to process.

In the scripts below we have the following inputs:

A text file containing all the ciphers OpenSSL support. I’ve listed a bunch of them at the bottom of this post.

The password we will be trying to guess, or a dictionary of words. A dictionary could e.g. be the top 1000 common passwords.

Encrypted.txt contains our encrypted txt. The encrypted text file could contain base64 data, but then we would have to add the -a flag to the command.

Before running the command, we need a directory “cipherout” in the directory where we are running the command. The following command will try the passwords CompanyName00 through CompanyName99:

This will produce a list of files inside the cipherout folder, each one representing the cipher type and the password tested. Now, analyze your cipherout folder looking for strings and alphanumeric output and see if anything makes sense. If you’re working this for a challenge, keep in mind that the resulting output could be yet another cipher.

Tools can also be used to create the passwords you are guessing. For example, a great idea could be to use Hashcat to produce the dictionary of words you can use for your cracking activities. Unfortunately Hashcat doesn’t directly support cracking these ciphers, as that tools is mostly used for cracking hashes (normally for password storage), not encryption ciphers. However, it can still create a nifty wordlist you can use though. An idea would be to manually create a list of potential passwords, then use Hashcat’s word mangling rules on this wordlist. In my wordlist I have the words securesolutions and netsecurity. Applying Hashcat’s leetspeak rule on this wordlist produces the following output:

This is a quick guide to get started with Android application testing. I wont delve into details of testing, but instead cover what is necessary to do in order to get started. The topics I go through are:

Get a hold of an Android device through emulation or physical device

Find and download the APK you want to test

Decompile the APK

Sign, Build and Install the updated APK

Find a suitable Android device

First, get ahold of a suitable Android device emulator, e.g. using the Android SDK or a commercial product such as Genymotion, Alternatively, set your device to USB debugging and connect your phone with a USB cable.

Get a hold of the APK

You need the APK file you want to attack. Normally developers have multiple ways of allowing you access to the APK file, however if it is located on the Android Play store, install it to your device, then pull the APK file with ADB.

Locate your package using ADB

Use the packet manager to list all packages on your device.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

C:\Users\Chris>adb shell pm list packages

<em><snip></em>

package:com.dropbox.android

package:com.augmentra.viewranger.android

package:com.motorola.android.buacontactadapter

package:com.google.android.apps.cloudprint

package:com.android.musicfx

<strong>package:no.securesolutions.pentest</strong>

package:com.google.android.apps.docs

package:com.google.android.apps.maps

package:com.google.android.apps.plus

package:com.android.cellbroadcastreceiver

package:com.google.android.webview

<em><snip></em>

Then figure out its path on the device

Use the packet manager to locat the path of the installed package.

1

2

C:\Users\Chris>adb shell pm path no.securesolutions.pentest

package:/data/app/no.securesolutions.pentest-1/base.apk

Pull the file from the device onto your workstation

Use adb pull a long with the path of the APK you discovered in the last step.

Decompile the APK

This will give us a directory tree containing assets, smali code, resources and manifests. You can also open up the APK with a zip viewer, e.g. 7zip and view and extract the contents.

Dalvik Excutable into Java

The APK is essentially only a compressed container. You can open it up in e.g. 7zip and review its files. One of the files is a dex file, a Dalvik Executionable, which is essentially the compiled Android application. This file can b decompiled into Java code using dex2jar.

1

2

C:\Users\Chris>dex2jar-2.0\d2j-dex2jar.batbase.apk

dex2jar base.apk->.\base-dex2jar.jar

The Dalvik Executable has now been converted into a Java JAR container. This can be further disassembled and inspected by a tool such as jd-gui.

Create keystore, build, sign, uninstall and deploy

Once you have made the necessary modifications to the source code, either through modifying e.g. assets or smali, you are now ready to deploy the modified application.

Sign the updated APK

Uninstall the APK from the device to allow for reinstall

1

C:\Users\Chris>adb uninstall no.securesolutions.pentest

Install the updated APK

1

C:\Users\Chris>adb install base\dist\base.apk

Put it all together

The above commands can get tedius to write over and over when making small modifications to your APK. Instead pull them all together into one single line of command as this (commands after the keystore has been created):

When creating a new account for yourself, either at your employeer, on the Internett in general or for your customers, you should in theory adhere to some best practice rules such as creating a strong password. That is:
– Above 20 characters
– A variety of special characters
– No sentences, they alone can quite easily be cracked
– Fully unique password, not used anywhere else, doesn’t look like any of your other passwords.

Sounds easy? No? Exactly… It is impossible to practice what we preach, at least without a system to help us out. In my video below I use a Password Manager to help me solve this issue. Might be interesting if you want a less frustrating and more secure day using good passwords.

I get different people approaching me all the time regarding this question; how do you disclose security vulnerabilities? In this post I’ll share my thoughts on the subject.

First of all, you should probably stay away from researching vulnerabilities on-line, wihtout permission. Your hat will quickly turn to shades of grey, and suddenly black before you know it. However, if you still want to continue, here are some tips I’ve compiled.

Don’t test without permission; stick with bug bounty programs such as HackerOne and BugCrowd. They have huge lists of companies who volunteer their systems to be tested by hackers. Do note, some restrictions usually apply. I’ve had some luck with this before, working out medium sized payouts from different companies.

Disclose it to the vendor. This is the noble and ethical thing to do when you’ve discovered a vulnerability, however you are in the risk that the vendor will not take the testing lighly.
In fact, here is an example of a very severe SQL Injection vulnerability I reported through responsible disclosure. The vulnerability was found through a Google search, and verification was done on a login field to log on as administrator. My disclosure went to the customer directly, while they went to their supplier. Their response is below:

Hi <redacted>,
I can inform you that your current solution was developed quite many years ago, and we are aware of some potential security risks, however we do not consider realistic as there are multiple layers of protection throughout the system, from the outside to inside. If you migrate to our newest solution <redacted>, security will be priority 1 and we are certain most hacker attacks will be virtually impossible. To date you have nothing to worry about, but we see the potential to get you onto the newest product as-soon-as-possible.

Att: The hacker who found this
We consider it a serious offense when it comes to attacking our solution. Our policy is to consider all non-planned penetration testing as a hacker attack and we will prosecute if this type of testing repeats itself.

It is not easy to get payed for your hard work. You might’ve put hours into reverse engineering an application in order to discover the vulnerability, however the vendor may not appreciate it in the sense it should. In fact, they could try get you to sign a non-disclosure agreement, take the report and forget it ever happened. They could even hold you liable if your vulnerability ended up on the internett in some manner.

In case you are not getting the proper replies from the vendor, you could try reach out to their production teams directly. This will only work if you know someone to contact on the inside, albeit open source intelligence could bring you to some contact information.

If you don’t have any luck with the vendor, you could try sell the vulnerability to companies such as HP’s Zero Day Initiative (http://www.zerodayinitiative.com/). These companies might resell the vulnerability to not-so-ethical companies and organisations.

Another option is full disclosure. Just go all out with all your information and see what happens. This can have several bad affects, e.g. black hats and script kiddies instantly abusing your information in order to commit crime or to produce chaos. You might have your 15 minutes of fame, but is it really worth it? Or you could do anonymous full disclosure, but thats hardly any ethical either. Or perhaps only through pain comes success? I won’t be the judge.

If you have leverage, e.g. you are a big commercial company and the vulnerable vendor is your supplier, you could threathen them that there will be implication if your security concerns are not followed through, i.e. discontiniuing the use of their product. Most often it can be helpful to have one of your seniors from your side have a friendly chat with the seniors on their side.

Some news instances, e.g. Null CTRL from Norways newspaper Dagbladet, have a team of journalists ready to talk with you regarding vulnerabilities. They can do the responsible disclosure for you and when it goes to a story, it may even come something good out of it, i.e. additional focus on IT security, perhaps pushing more jobs in the IT security space.

In all fairness, what you’ve done is most likely illegal, even if it is something silly as just toying with parameters. In some cases the law is not clearly enough defined, and if you are caught doing something someone consider illegal, you might be subject to becoming a test subject in the court subject. All in all, IANAL and you should not take legal advice from anyone else than your lawyer.

Thanks for reading!

Bonus material for my Norwegian readers. This is Norsis’s reply on how to do responsible disclosure: